Get off of my cloud

EVEN before the European Court of Justice (ECJ) struck down the “safe-harbour” privacy pact between the European Union and America on October 6th, data-protection lawyers were in high demand. American clients asked if their firms’ data-flows across the Atlantic would become illegal—and if so, how to cope? The fears were justified. Though the ruling does not “break the internet”, as doom-mongers have it, businesses may have to find awkward and costly workarounds for data transfers, or shift to European data centres. More broadly, it marks a worrying escalation of a transatlantic row over privacy and data protection.

The safe-harbour pact, signed in 2000, was an attempt to bridge cultural and political differences regarding online privacy. The EU sees protection of personal data as a human right; America considers it mainly in terms of consumer protection, which leaves room for trade-offs. The pact allows firms to transfer data from the EU to America if they provide safeguards equivalent to those required by the EU’s data-protection directive (hence “safe harbour”). When it was negotiated, the internet was in its infancy and transatlantic data flows were small. The European Commission therefore accepted an agreement based on self-certification: firms could write a privacy policy and declare themselves compliant.

As the trickle of data crossing the Atlantic built into a tsunami, worries in Europe grew. But it took leaks by Edward Snowden, a contractor for America’s National Security Agency (NSA), showing widespread snooping to nudge the commission into a serious attempt at renegotiation. In late 2013 it published a list of the pact’s “deficiencies”, which included weak enforcement, baffling privacy policies and poor handling of complaints. Talks about an update started soon afterwards.

They might have progressed without publicity, had it not been for Max Schrems, an Austrian activist. Arguing that the NSA’s surveillance meant that Facebook could not protect his privacy, he filed a complaint against the social-networking site in Ireland, its European base. The Irish data-protection authority said it could not second-guess the European Commission, which, by signing the safe-harbour pact, had declared America’s data-protection rules adequate. So Mr Schrems took his complaint to the Irish High Court, which referred it to the ECJ. On September 23rd its advocate general, Yves Bot, published a strongly worded opinion siding with Mr Schrems.

The court’s decision this week has broadly followed that opinion. It struck down the safe-harbour agreement, saying that “legislation permitting [American] public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” And it gave national data-protection authorities the power to decide individually whetherEurope-wide deals have sufficient safeguards, and to take cases to national courts if they conclude that such safeguards are lacking. Courts can then refer the matter to the ECJ, which has the final say.

The result is that any reworking of the safe-harbour agreement—and individual firms’ privacy policies—will be under constant scrutiny. The uncertainty created by the decision goes further: even firms that did not rely on safe-harbour provisions for their transatlantic data transfers, but on alternatives such as “model contracts” developed by the commission for cloud-computing services, may have to re-examine their legal position. Some in Brussels think that firms may now have to guarantee that data are adequately encrypted (ie, not accessible by the NSA).

You can’t always get what you want

The ECJ’s decision “puts at risk the thriving transatlantic digital economy”, said Penny Pritzker, America’s commerce secretary. Its sweeping nature will make it harder for America and the EU to conclude the renegotiations of the safe-harbour pact. Although agreement had already been reached on most of the commission’s concerns, those relating to access to data by American authorities remain. Resolving these would surely mean America accepting more of a check on the NSA than provided by the USA Freedom Act, which prohibits some large-scale collection of personal data (people abroad, for instance, are still fair game).

Separate plans to update the EU’s 20-year-old data-protection directive will further widen the privacy gap between Europe and America. The draft envisages the new rules covering organisations outside the EU that process personal data from EU citizens, meaning that an American website could fall under European law simply because it has visitors from, say, Germany. It would also hamper the exploitation of “big data”: sifting through heaps of digital information to find patterns and invent new services. Firms would have to get “explicit consent” for each new use.

Mr Snowden’s revelations had already accelerated a trend towards the balkanisation of the internet. To protect data related to their citizens and firms from American snooping, some countries are insisting that these are stored locally. This makes censorship and spying by national spooks easier, and means consumers and firms will have to use costlier local cloud services. As with trade, barriers to the free flow of data can cause serious economic harm: a study by the European Centre for International Political Economy found that localisation requirements in China and Vietnam reduced GDP by 1.1% and 1.7% respectively.

If America and the EU cannot agree, more countries will conclude that they, too, can impose their own standards. “Despite all their differences, the US and the EU have many things in common,” says Christopher Kuner of the Brussels Privacy Hub, a research centre. “If they can’t agree on privacy, how can the rest of the world?”